Handling multiple IdPs in wso2 - wso2

How to achieve below Scenario:
I have multiple IDP such as APM, Predix, etc. Every IDP has its own user management such as a create user, groups, etc.
tenant 1 - APM
tenant 2 - Predix
Is there any configuration in WSO2 base on tenant dependant they will be giving a response such as Tenant 1 in request automatically wso2 connect to APM and giving endpoint information?

Doc - 1, guides the steps to configure federated identity provider to WSO2 IS. You can create different service providers and select the required IdP for each service provider. Steps to configure federated IdP to a service provider can be found in [2], under section "Click here for details on how to configure local and outbound authentication"
Edit: Identity Provider can be created in WSO2 IS to represent the external IdP. We can create service providers (based on the requirement, it could be created in relevant tenants) select federated authentication as "Authentication Type" and select the relevant IdP from drop down menu.Refer the image below:
1 https://docs.wso2.com/display/IS570/Configuring+Federated+Authentication
[2] https://docs.wso2.com/display/IS570/Adding+and+Configuring+a+Service+Provider

Related

Finding the correct SAML Identity provider to authenticate a user

I am trying to configure Google Cloud Identity Platform to use multiple SAML identity providers. Still, I'm stuck at the point of selecting the right IdP for every person attempting to log in.
I have read about SAML v2 IDP Discovery Service but I don't really understand how it works since I am a novice in SAML.
So does it have to be a programmatic solution or does GCIP have something that I can configure to automatically select the right IdP for each user?
If it has to be a programmatic solution can someone point me to a good explanation of SAML v2 IDP Discovery Service?
Yes, you can set up Google Cloud Identity Platform (GCIP) to automatically select the appropriate identity provider (IdP) for each user. A protocol known as SAML v2 IDP Discovery Service enables users to select their IdP from a drop-down menu. Its purpose is to make it unnecessary for users to remember which IdP they should use.
You will need to configure the service in your GCIP project in order to put this into action. Each provider's metadata and any additional parameters that the IdP may require must be provided to the IdP. The user will be able to select their IdP from a drop-down menu on their login page following the completion of the configuration. The official Google documentation provides additional details on how to use SAML v2 IDP Discovery Service.
Refer to this how to enable multi-tenancy for Identity Platform and Creating a sign-in page for multiple tenants

wso2 : how to configure ADFS based authentication on per-tenant basis

We are trying to use WSO2 IS 5.3 as IdP to perform SAML2 Web SSO for a multitenant SaaS app.
We’d like to host a single instance of the app, register app as a service provider in WSo2 IS , create/manage tenants in WSo2 IS and configure different authentication means for each tenant.
In the POC we can successfully register our app as SaaS service provider and users from different tenants can login into App as soon as users are listed in the tenant’s primary or secondary user stores.
However we cannot find info on how to configure ADFS based authentication on per- tenant basis (i.e. each tenant has its own IdP configured with ADFS based Federated authenticator. When user logs into app , WSO2 IS, based on customer’s domain name, would use IdP from corresponding tenant)
We followed this link and can set ADFS based authentication for superuser tenant and it works fine. (i.e. ADFS is configured as IdP for superuser tenant and we use Federated authentication in service provider associated with our app) ….
Question is how can we achieve the same but enable/configure ADFS based authentication on per-tenant basis?
Thank you in advance for comments/ideas !
Update:
we were able to configure ADFS on per customer basis(following steps from blog https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/ ) and used tenantDomain parameter to differentiate b/w tenants during authentication.
In the final solution we made web app available to different tenants under different URLs . The app, based on the URL used to access it , would reconstruct and include tenantDomain parameter (as specified in WSO2 IS documentation ) into SAML request and that would effectively instruct WSO2 to use IdPs/auth means configured for that specific tenant for authentication

wso2 identity server 5.3.0 users and multi tenancy configuration guidelines with Oauth2 if possible

Can anyone help me out with a guideline to configure a specific Service Provider to a specific Tenant only, i.e. exclude all tenants from accessing the specific Service Provider.
I tried creating Service Provider using the guidelines from:
https://docs.wso2.com/display/IS530/Configuring+a+Service+Provider
by the way I used oauth2 with Implicit flow.
Then I created multiple tenant domains like:
abc.com
xyz.com
I created rob under abc.com tenant and sam under xyz.com.
when I use url(https://localhost:9443/oauth2/authorize?response_type=token&client_id=my_client_id_was_here&redirect_uri=my_redirect_uri_was_here) to login, login page showed up but I was ABLE to login using both rob and sam credentials.
What I want is to do is to restrict users of only one specific domain/tenant to access my service provider.
Thanks in advance
To restrict a service provider to a specific tenant, you have to create that service provider inside that tenant. So to create a SP inside "abc.com". Log into that tenant using a tenant user (rob#abc.com) and create the service provider inside it.

WSO2 : Can I assign Facebook or Google user to a specific tenant?

My environment is wso2 API-M + wso2 IdP + wso2 DAS. I set SSO with those components and Facebook and Google users can log in to my environment.
My question is :
If I create 2 tenants in API-M, how should I assign Facebook or Google users to a specific tenant I created while they logging in API-M? (without auto user provision).
From service provider configuration --> Local & Outbound Authentication Configuration
check "Use tenant domain in local subject identifier"

How to TO provide access to the same service provider for different tenants users in WSO2 IS?

I have created 2 tenants in WSO2 identity server.
We need to deploy a sample application to which users belonging to both the tenants should have access to using SAML 2.0.
Please suggest how the sample application can be configured as service provider in WSO2 Identity Server to achieve this requirement.
Assuming that the above is done, we would also like to know how the application can identify which User belongs to which tenant once the login is successful? is this some information that would be passed in SAML response ?
You can create the service provider in SaaS mode. With this configuration, service provider will be visible to all the tenants in the Identity Server. You can find how to configure a SaaS application from the documentation at [1]
If you want to return the tenant domain with the subject identifier in the saml response, you can enable 'Use tenant domain in local subject identifier' in 'Local & Outbound Authentication Configuration' of the service provider. More information is available in [2].
[1] https://docs.wso2.com/display/IS510/Configuring+a+Service+Provider#ConfiguringaServiceProvider-Addingaserviceprovider
[2] https://docs.wso2.com/display/IS510/Configuring+Local+and+Outbound+Authentication+for+a+Service+Provider
is olso needed to put in the url the query param for select the right tenant, I modifyed the urls in the metadata.xml generated from the WS2 IS from someting like this:
https://your-domain:9443/samlsso
to
https://your-domain:9443/samlsso?tenantDomain=tenant-name
And use this metadata.xml in the SP
Otherwise when the SP send the saml message the IS will geneate the log "Service Provider with the issuer 'xxx' is not registered." if your SP is not registered in the super tenant
WSO2 IS 5.10